Introduction to Threat Intelligence/Hunting
Cybersecurity aims to protect the confidentiality, integrity, and availability of information and information systems which include proactively and actively defense. In cybersecurity, job overload is common in many organizations, both small and big enterprises. An organization’s IT security specialist is responsible for multiple duties such as SOC Analyst, incidence response, network security administrator, and or threat intelligence. This typically leads to job burn out and It has become a major protest and the need for job role segregation to enhance effective delivery of roles among security professionals.
Threat intelligence is one of the roles that is commonly match up together with other roles and that is why we seldomly see a role in threat intelligence. As cybersecurity is a concern, threat intelligence and hunting are inevitable job roles in an organization. It is a must-have in a secure enterprise. It saves all other specialists in an organization a lot of stress and panic in times of incidence. It saves an organization time and money by reducing dwell time (the time taken for an organization to detect a breach or incidence), and it harnesses security.
Threat intelligence and threat hunting are most times mixed up and used interchangeably yet they are quite different. Depending on the situation, one may come first before the other, typically, threat hunting comes before threat intelligence (in my view) and sometimes the latter comes before the earlier.
Threat hunting is the process of actively looking for threat actors’ Tactics Techniques and Procedures. It is actively understanding an actor’s capabilities, infrastructure, and modalities of operations. Threat hunting is not limited to an actor, but it extends to other threats of course if you are hunting an actor, you are also looking for the associated threats.
Cyber Threat Intelligence is the process of transforming raw cyber threat data from emerging and existing threat actors into intelligence that is actionable in decision making.
It means analyzing threat hunting feeds to intelligent and actionable points needed for decision-making that aids or harnesses security.
What to hunt?
There are three types of threat intelligence, each of these can be narrowed down to suit your organization’s landscape. Each of this intelligence can be hunted. They are:
a. Tactical Intelligence: specific attack and attack vectors. It answers What and When? For example, what is SQL injection and when can it be launched?
b. Operational intelligence: understanding the attacker’s capabilities, tactics, techniques, and procedures. It answers How? A good example is understanding APT21 modalities of operations.
c. Strategic intelligence: understanding organizations’ threat landscape. It answers who, why, and where? An example of this is, your organization is a financial institution, understanding why an attacker will come after you is strategic intelligence, having a good understanding of your asset will help you identify the medium of attack.
What to hunt?
This brings us to another important section of threat hunting. Here I will be introducing “Pyramid of Pain”.
The pyramid of pain is a visual representation of different artifacts that can be collected during hunting or intelligence. It is a hierarchical representation such that the higher you go the more difficult it becomes to collect.
I will make a post on where you can get each of these in the next post.